Author: rescue@crimefire.in

Photo: zf L/Getty Images
June has been a busy month across healthcare, and not always for the best reasons. The number of data breaches at hospitals, health systems, health plans and elsewhere has been significant – even in comparison to the risk-fraught cybersecurity landscape we’ve all become accustomed to.
Here’s a partial list, including some high-profile names.
On June 3, Kaiser Permanente informed members of its Kaiser Foundation Health Plan of Washington of an unauthorized access incident that occurred on April 5, 2022.
Kaiser security officials “discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident. We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.”
PHI potentially exposed included names, medical record number, dates of service, and lab results, officials said, but Social Security and credit card numbers were not included.
“We do not have any evidence of identity theft or misuse of protected health information as a result of this incident,” said Kaiser Permanente officials.
At Atrium Health, officials served notice this month that an unauthorized third party “gained access to a home health employee’s business email and messaging account” via a phishing exploit.
After that incident, which occurred in April, Atrium Health at Home secured the affected account, confirmed the unauthorized party had no further access, notified law enforcement and engaged an outside security firm.
“The behavior of the unauthorized party indicates they were likely focused on sending other phishing emails and not targeting medical or health information,” said Atrium officials. “Unfortunately, despite a thorough investigation, we could not conclusively determine whether personal information was actually accessed by the unauthorized party.”
Personal information in the affected account may have included names, home addresses, dates of birth, health insurance information and medical information, including dates of service, the provider and facility, and/or diagnosis and treatment information.
“For a limited subset of individuals, Social Security numbers, driver’s license/state ID numbers and/or financial account information also may have been involved,” officials said. “Our electronic medical record systems are separate from email accounts and were not affected by this incident.”
Also this month, UNC Lenoir Health Care disclosed an incident involving a breach of patient information by MCG Health, one of its third-party business partners.
MCG’s clinical support services including patient care guidelines. UNC officials said that in December of 2021 and January of this year, MCG “was contacted by an unknown third-party who claimed to have improperly obtained patient data from MCG.”
This person “made a demand for money in exchange for the return of the patient data to MCG. MCG opened an investigation and contacted the FBI.”
MCG informed UNC Lenoir of the incident in April, the health system said, and its forensic investigators confirmed that health records for 10 patients were listed for sale on the dark web.
“These records are believed to have come from MCG,” said UNC officials. “Lenoir patient records were not found on the dark web, but MCG has determined that the unauthorized third-party may be in possession of Lenoir information which could include: patient name, Social Security number, medical codes, street address, telephone number, email address, date of birth and gender.”
At Quincy, Massachusetts-based Shields Health Care Group, which provides management and imaging services, healthcare customers were informed in June about some suspicious activity on its network.
“With the assistance of third-party forensic specialists, we took immediate steps to contain the incident and to investigate the nature and scope of the incident,” which occurred in March, officials said.
“An unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022,” according to Shields. “To date, we have no evidence to indicate that any information from this incident was used to commit identity theft or fraud. However, the type of information that was or may have been impacted could include one or more of the following: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.”
Data breaches are nothing new in healthcare, of course, but in recent years, the variety, frequency and, sometimes, severity of cybersecurity exploits has increased.
The U.S. Department of Health and Human Services has offered help. Most recently, its Health Sector Cybersecurity Coordination Center, or HC3, published a new guidance on Strengthening Cyber Posture in the Health Sector on June 16. Among the steps it suggests:
Conduct regular security posture assessments.
Consistently monitor networks and software for vulnerabilities.
Define which department owns what risks, and assign managers to specific risks.
Regularly analyze gaps in your security controls.
Define a few key security metrics.
Create an incident response plan and a disaster recovery plan.
But some hospitals and health systems still think the feds should be doing more to help manage the increasingly challenging burden as healthcare cyberattacks intensify.
As Politico reported this past week, “from January through June, the Office of Civil Rights tallied 256 hacks and information breaches, up from 149 for the same period a year ago.”
As those attacks increase – posing serious risks to patient safety – healthcare leaders are asking the government to do more to help protect the critical IT systems of U.S. providers.
“It blows my mind that ultimately, it’s on the individual hospital systems to attempt to – essentially in isolation – figure it out,” Politico quotes Lee Milligan, chief information officer at Oregon-based Asante Health System. “If a nation state has bombed bridges that connect over the Mississippi River and connect state A and B, would we be looking at it in the same way? And yet the same risk to life happens when they shut down a health system.”
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.
More Whitepapers
More Webinars

© 2023 Healthcare IT News is a publication of HIMSS Media

source

We don’t support this browser version anymore. Using an updated version will help protect your accounts and provide a better experience. 
Update your browser
Please update your browser.
We don’t support this browser version anymore. Using an updated version will help protect your accounts and provide a better experience.
Update your browser
Home
Sign in
Free credit score
Financial Education
Customer Service
Give feedback
Schedule a meeting
Find ATM & branch
It appears your web browser is not using JavaScript. Without it, some pages won’t work properly. Please adjust the settings in your browser to make sure JavaScript is turned on.

A credit card data breach occurs when personal credit card data is exposed to an unauthorized individual. The data may include the card owner’s name and address, the card number, expiration date, and verification code (CVV). Breaches can occur accidentally, or thieves may intentionally steal credit card information to commit identity theft, make potential unauthorized purchases or open a new line of credit in someone else’s name.
Having your data compromised in a breach may be nerve-wracking but knowing what to do if you find yourself in this situation could help minimize damage to a minimum.
Credit card data breaches involve the exposure of confidential data, but they can happen in any number of different ways.
In some cases, a data breach may be entirely accidental. A company’s data protection measures could fail, exposing users’ credit card information to the public (including potential criminals who want to take advantage of it).
Hackers and identity thieves use unscrupulous methods to access private information as well. In small-scale data breaches, they may get access to someone’s physical credit card and use it to make purchases. Alternatively, they may use a credit card skimmer — a piece of technology that can record credit card information when people swipe their cards at a machine — to capture credit card details. 
Large-scale credit card breaches happen when criminals use nefarious tactics like phishing, SQL injections (installing malicious code on a web app), or fake web applications/text messages to obtain credit card information. These tactics give criminals access to their target’s websites or applications, potentially allowing them to access a lot of information all at once.
Depending on the situation, the user may be the first to realize something is wrong after spotting unfamiliar purchases on their credit card statement, in which case they should immediately contact their credit card issuer.
Credit card companies also have a number of security measures in place to help monitor for suspicious activity and credit card theft. Fraud monitoring allows credit card companies to watch for suspicious transactions and may reach out to customers for verification. 
In large-scale credit card data breaches, companies are required to inform customers that their information was compromised. In such situations, they will typically provide further context around what caused the breach and what information was accessed, and they’ll advise customers about what actions they should take. This may include reviewing statements for unauthorized purchases or changing compromised passwords.
You can never be too careful with your credit card information. There are several actions you may consider taking to reduce the chances of having your information compromised in a breach — or used fraudulently in the event it is.
One way criminals gain access to your credit card information is through a weak password. Using the same password for many different sites and services puts you at risk, as do simple passwords that are easy to guess, like “password123" or your pet’s name.
Consider using unique and secure passwords for every site you use and updating your passwords frequently.
Many online companies allow you to set up two-factor authentication. For example, a company may send you a code via a text message when you are trying to log in or ask you to verify a security question alongside your password to gain access.
This extra layer of protection may help prevent credit card breaches in the future.
If you lose a credit card at any point, the credit card issuer can freeze the account. This will help prevent anyone who may have stolen your card from using it to make unauthorized purchases.
If a credit card expires or you’ve stopped using it altogether, destroy the physical card before disposing of it. You can do this by cutting it up into small pieces and putting them in the waste bin.
If you have a piece of mail or a printout with your Social Security number, credit card information, or any other identifying factors, a shredder may come in handy to help destroy any personal documents before anyone can find them and use them for future unauthorized purchases.
Criminals attempt to steal your information in a variety of ways, so knowing the warning signs is a good way to protect yourself. Never click on a link sent to you via email or text message unless you know who sent it, and you know the person or company that sent it did so intentionally. 
Remember, if someone else has fallen victim to identity theft, criminals may use their identity to gain your trust and get your information as well. So, if someone you know sends you a random message on social media or via text asking you to click a link, you may want to refrain from clicking until you’ve verified that the person sending you the link is who you think it is.
Your credit card company most likely has methods in place to protect your information, but there may be additional security measures they offer that you may not be using. You can find out more by visiting their website or calling their customer service line and asking about what you can do to further protect your credit card information.
If you have been informed that your credit card information has been compromised, you may want to review your credit card statements for unfamiliar purchases. You may also want to change the passwords on any accounts associated with the breach (even if you don’t see anything strange on your statements).
Getting caught up in a data breach can be frustrating to say the least, but there are things that might help prevent this situation. When you know the warning signs and if you suspect your credit card data has been breached, there are steps you can take to help protect your personal information and your money.
Cash back rewards are bonuses provided to customers when they use their cards to make purchases. Cash back rewards can take the form of dollars or points.
Understand the debt-to-income ratio and its significance in personal finance. Learn how to calculate your debt-to-income ratio and why lenders use it.
Debt consolidation means to bring all of your balances to a single bill & it can be a useful way to manage your debt. Here's how to consolidate your credit card debt.
Enjoy 24/7 access to your account via Chase’s credit card login. Sign in to activate a Chase card, view your free credit score, redeem Ultimate Rewards^® and more.
Explore the world and earn premium rewards with Chase Sapphire Reserve^® or Chase Sapphire Preferred^®. Compare travel credit cards and find your ideal travel companion.
Earn Chase Ultimate Rewards^® on everyday purchases and redeem for travel, cash back and more. See all our rewards credit cards and choose one that’s right for you.
Enjoy the convenience of earning cash back with Chase Freedom^® or Chase Freedom Unlimited^®. Compare our cash back credit cards to find your best option.
Browse credit cards from our premier partners, including Amazon Rewards cards, Southwest Rapid Rewards cards, Marriott Rewards and others.
Own a business? Power its potential with one of our business credit cards, like Ink Business Preferred℠, Ink Business Unlimited℠ or Ink Business Cash℠.

“Chase,” “JPMorgan,” “JPMorgan Chase,” the JPMorgan Chase logo and the Octagon Symbol are trademarks of JPMorgan Chase Bank, N.A.  JPMorgan Chase Bank, N.A. is a wholly-owned subsidiary of JPMorgan Chase & Co.
Your points don’t expire as long as your account is open; however, you’ll immediately lose all your points if your account is closed for program misuse, fraudulent activities, failure to pay, bankruptcy, or other reasons described in the terms of the Rewards Program Agreement.

© 2023 JPMorgan Chase & Co.
Chase’s website and/or mobile terms, privacy and security policies don’t apply to the site or app you’re about to visit. Please review its terms, privacy and security policies to see how they apply to you. Chase isn’t responsible for (and doesn’t provide) any products, services or content at this third-party site or app, except for products and services that explicitly carry the Chase name.

source

The average cost of a data breach reached an all-time high of $4.35 million this year, according to newly published 2022 Cost of a Data Breach Report, an increase of 2.6% from a year ago and 12.7% since 2020.
New research in this year’s report also reveals for the first time that 83% of organizations in the study have experienced more than one data breach and just 17% said this was their first data breach. And at a time when inflation is growing, breached businesses have passed higher costs to customers, with 60% of organizations in the study reporting that they increased the price of goods and services in response to losses from the breach.
These are among the dozens of findings from the study of 550 organizations across a variety of industries and geographies that experienced a data breach between March 2021 and March 2022. Now in its 17th year, with research independently conducted by Ponemon Institute, and featuring analysis by IBM Security, the Cost of a Data Breach Report is among the leading benchmark reports in the security industry. It offers IT, security and business leaders a lens into risk factors that can increase the costs associated with a data breach, and which security practices and technologies can help mitigate security risk and financial damages.

The use of security AI and automation has jumped by nearly one-fifth since 2020, and cost savings from security AI and automation were the highest of any factor studied.
The percentage of organizations with security AI and automation deployed grew from 59% in 2020 to 70% in 2022, an 18.6% growth rate. Those organizations that reported their security AI and automation technologies are “fully deployed” — 31% of organizations — experienced breach costs that were $3.05 million less than at organizations with no security AI and automation. Data breaches at organizations with no security AI and automation deployed cost an average $6.2 million, compared to an average $3.15 million at organizations where security AI and automation was fully deployed.
The ROI from security AI and automation is apparent from another metric, that of time. Security AI and automation not only reduced costs, but they also significantly lowered the time to identify and contain a data breach (i.e., the breach lifecycle). With those technologies fully deployed, the average lifecycle of a data breach was 74 days shorter than the average for no security AI and automation.
IBM provides SOAR solutions to help businesses accelerate incident response with automation, process standardization and integration with businesses’ existing security tools. These capabilities enable a more dynamic response, providing security teams with intelligence to adapt and guidance to resolve incidents with agility and speed.

Healthcare breach costs surged to $10.1 million, the highest average cost of any industry for 12th year in a row.
While healthcare costs in the U.S. have seen increases between 6% and 7% since 2020, according to PwC, data breach costs in the industry have far outpaced overall healthcare inflation in the same time period. Healthcare industry breach costs surged 42%, growing from $7.13 million in 2020 to $10.10 million in 2022. Healthcare has been the highest cost industry for 12 years in a row.

More organizations deploy zero trust in 2022 than they did in 2021, with cost savings of about $1 million.
This was the second year that the report looked at the impact of a zero trust security framework on the average cost of a data breach. The share of organizations deploying a zero trust architecture grew from 35% in 2021 to 41% in 2022. The other 59% percent of organizations studied in the 2022 report who do not deploy zero trust incurred an average of $1 million in greater breach costs compared to those that do deploy zero trust. However, the cost savings were even greater for those with a mature zero trust deployment — about $1.5 million lower compared to organizations at the initial stages of a zero trust program.
Ransomware and destructive attacks were more expensive than the average breach in 2022, while the share of breaches involving ransomware grew by 41%.
Last year was the first year that the report looked at the cost of ransomware and destructive attacks. The average cost of a ransomware attack — not including the cost of the ransom — went down slightly in 2022, from $4.62 million to $4.54 million, while destructive attacks increased in cost from $4.69 million to $5.12 million, compared to the global average of $4.35 million. The share of breaches caused by ransomware grew from 7.8% in 2021 to 11% in 2022, a growth rate of 41%.
The impact of incident response teams and regularly tested incident response plans on cost was $2.66 million in average savings.
Forming an incident response (IR) team and extensive testing of the IR plan were two of the most effective ways to mitigate the cost of a data breach. However, of studied businesses that have IR plans (73%), 37% don’t test their plan regularly. It’s essential that businesses routinely test their IR plans through tabletop exercises or run a breach scenario in a simulated environment, such as a cyber range.
The 2022 study broke new ground in research with some fresh findings showing how the cost of a breach was affected by factors including supply chain compromises, critical infrastructure, and the skills gap. The study also explored how security technologies, including extended detection and response (XDR) and cloud security, impacted breach costs. Below are some of these findings.
$4.82 million was the average cost of a critical infrastructure data breach.
The average cost of a data breach for critical infrastructure organizations studied was $4.82 million — $1 million more than the average cost for organizations in other industries. Critical infrastructure organizations included those in the financial services, industrial, technology, energy, transportation, communication, healthcare, education, and public sector industries. Twenty-eight percent of critical infrastructure organizations experienced a destructive or ransomware attack, while 17% experienced a breach because of a business partner being compromised.
45% of breaches occurred in the cloud, but breaches cost less in hybrid cloud environments.
Forty-five percent of breaches in the study occurred in the cloud. Breaches that happened in a hybrid cloud environment cost an average of $3.80 million, compared to $4.24 million for breaches in private clouds and $5.02 million for breaches in public clouds. Organizations with a hybrid cloud model also had shorter breach lifecycles than organizations that solely adopt a public or private cloud model. It took 48 fewer days for hybrid cloud adopters to identify and contain a breach, compared to public cloud adopters.
XDR technologies helped reduce breach lifecycles by almost a month.
Those 44% of organizations with XDR technologies saw considerable advantages in response times. Organizations with XDR deployed had a data breach lifecycle that was on average 29 days shorter compared to organizations that didn’t implement XDR.
XDR capabilities can help significantly reduce average data breach costs and breach lifecycles. For example, IBM Security QRadar XDR enabled businesses to detect and eliminate threats faster by leveraging its single unified workflow across tools.
The skills gap cost organizations more than half a million dollars in data breach costs.
Just 38% of organizations in the study said their security team was sufficiently staffed. This skills gap was associated with data breach costs that were $550,000 higher for understaffed organizations than for those with sufficiently staffed security teams.
Nearly one-fifth of breaches were caused by a supply chain compromise, which cost more and took nearly a month longer to contain.
A number of major attacks in recent years have reached organizations through the supply chain, such as organizations being breached due to the compromise of a business partner or supplier. In 2022, 19% of breaches were supply chain attacks, at an average cost of $4.46 million, slightly higher than the global average. Supply chain compromises had an average lifecycle that was 26 days longer than the global average lifecycle.
The Cost of a Data Breach Report contains a wealth of information that can help organizations understand potential financial risks and benchmark costs based on a variety of factors. Plus, the report includes recommendations for security best practices based on IBM Security’s analysis of the research.
There’s more to explore in the full report, including:
Register to download a PDF of the complete report.
Register for a webinar with IBM Security experts discussing key findings and best practices.
John Zorabedian is a content marketing manager at IBM Security, with nearly a decade of experience in marketing in the cybersecurity industry. At IBM, he dir…
4 min read – Discover how threat actors are waging attacks and how to proactively protect your organization with top findings from the 2023 X-Force Threat Intelligence Index.
17 min read – Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers…
4 min read – As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting…
View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…
Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…
2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…
The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.

source

Startup Europe. Grown up reporting
Deeptech/Analysis/
By Sadia Nowshin 21 February 2023
Deeptech
By Mimi Billing 6 March 2023
Deeptech/Analysis/
By Sadia Nowshin 21 February 2023
It was recently estimated by the World Economic Forum that by 2025 there’ll be 463 exabytes of data created each day globally — that’s the equivalent of 212m DVDs, for those who remember them. That exponential growth of data sets up a skirmish between hackers trying to access that information and the cybersecurity startups trying to stop them — something investors are jumping on.
Cybersecurity startups raised around $1.8bn in 2022, matching the total funding that the sector drummed up in the year before. Digital asset investment platform Copper raised the biggest round of the year — a $180m Series C from Tiger Global Management and Barclays PLC — followed by Nord Security’s $100m raise. 
But which up-and-coming startups are VCs watching in the space? Here are the companies they’ve clocked, with one caveat: they weren’t allowed to pick any of their portfolio companies. 
TempoCap is a European growth-stage technology fund with offices in London, Paris and Berlin focusing on enterprise software, cybersecurity and fintech. 

Cado Security is a cybersecurity forensics and incident response platform. As global enterprises are migrating more data to the cloud, cyber attacks on cloud infrastructures are increasing. Cado Security offers a fully automated forensic-level data capture and processing solution that allows security teams to improve their response time to incidents and move faster than the attackers.
HarfangLab is a next-generation Endpoint Detection and Response (EDR) solution that uses real-time behavioural analysis and advanced AI to detect invisible attacks and home in on real and critical cyber threats. HarfangLab’s platform is easy to deploy and manage while still being able to handle complex threats, which is a particularly valuable characteristic given the significant shortage of skilled cybersecurity talent.
CounterCraft generates a real-time actionable intel feed using its deception platform. The tech lures in attackers using decoy targets to learn about potential hacker behaviour and inform defence tactics before a real attack has happened. 
Human error is actually one of the most significant vulnerabilities in cybersecurity, and the source of more than 82% of data breaches, according to a 2022 report by Verizon. OutThink is a cybersecurity training and awareness SaaS platform focused on identifying, managing and mitigating human risk. It provides chief information security officers with the tools to establish a strong cyber risk-aware culture in their organisation, building a human firewall with the workforce as the first line of defence. 

General System has developed an indexing product that can capture massive data flows and analyse them for organisations in real time. Today, any real-time analysis is usually done only on summary data, and most data is only examined in forensic situations in relation to security risks. General System’s underlying tech is aimed at the Internet of Things (IoT), both in cybersecurity and industrial applications, like capturing aircraft or vehicle data to inform companies on the behaviour and movement of their customers. 
Encrypted messages can act as a vector for injecting malware into an organisation. Venari provides a solution that examines both the metadata and encrypted payload of a message, using a combination of artificial intelligence, machine learning, behavioural analytics and a rules engine to provide valuable insights that can be used to improve the organisation’s ability to block potential attacks — all without decrypting the data. 
RevEng uses machine learning to analyse binary code and detect potential malware. The company structures and executes binary code to identify suspicious behaviour, by searching for patterns within the code. Crucially, this approach allows companies to ensure that no malicious code is running on their systems, even if the original malicious binary code has been altered.
Eye Security is an all-in-one SME cyber solution that bundles cyber security measures together with cyber insurance. Hacking has sadly become more accessible thanks to much more scalable techniques, tech and ransom methods, which means malicious actors can now make money extorting smaller companies. Small to medium-sized companies lack the time and expertise to deal with these complex issues, so Eye Security combined the platform with insurance, and handles both the technical and financial risks.
Hadrian likens itself to Google Maps for security infrastructure, helping chief information security officers to map, contextualise and prioritise potential vulnerabilities throughout their digital estate. As enterprises increasingly digitise, their threat surfaces have grown exponentially. This makes automated monitoring necessary, as well as intelligent solutions focused on the full context of a company’s tech stack and where and how it interacts with everything else. 
Risk Ledger offers a new approach to supply chain and third party cyber risk management. Often the most significant cyber vulnerability comes not from a company’s own IT but its partners and supply chain: one major hospitality chain was hacked via a fish aquarium controller in its lobby, for example, and on a larger scale we’ve seen situations like the SolarWinds hack, where malware was downloaded through software updates. 
Traditionally, companies handle supply chain risk via questionnaires. Risk Ledger has not only digitised this, but has created a centralised platform for both suppliers and companies — suppliers only need to update their information once and companies are continuously informed of any changes. Risk Ledger’s standardised assessments map to all key cyber frameworks and also take into account non-security risks, alongside integrating with cyber security software, so a company can develop a more comprehensive view of the risks.
Sadia Nowshin is editorial assistant at Sifted. She tweets from @sadianowshin_
Sifted is
Please follow us
Please follow us
© 2023 Sifted EU Ltd. All Rights Reserved.
Sign up for free
Get unlimited access to all of Sifted’s free coverage and analysis. You’ll also be able to choose your preferred newsletter and report subscriptions.
Sound good? Let’s get started.

source

Cybersecurity Trends & Statistics For 2023: More Treachery And …  Forbes
source

background image / KrulUA / iStock / Getty Images Plus
Security magazine is proud to present the honorees of our 3^rd annual Top Cybersecurity Leaders program, which highlights enterprise information security executives and professionals and their industry accomplishments. This year’s nominees serve important roles across their organizations and the cybersecurity field as a whole, leading by example and bettering security through innovative approaches to risk and technology.
The goal of the Top Cybersecurity Leaders program is to spotlight cybersecurity professionals who are making a difference in their organization and/or in the industry as a whole, and this year’s nominees didn’t disappoint. Our editorial staff was blown away by the caliber of this year’s nominations. We received an overwhelming number of nominees with years of experience, industry impact and cybersecurity leadership.
It’s been our honor to profile just a few of the cybersecurity leaders who mitigate risk within their own organizations and further the profession of cybersecurity with their industry involvement and contributions on a daily basis.
We’d like to thank our industry partner, ISACA, for their help in making these awards a success. Nominations for the 2024 Top Cybersecurity Leaders program will open in August of this year. Nominees do not need to be a member of ISACA to apply.
Read on to learn about the 2023 Top Cybersecurity Leaders!

You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe. 
The John F. Kennedy Center for the Performing Arts is home to some of the nation’s largest events, from the Kennedy Center Honors to the Mark Twain Prize and high-caliber theatrical and symphonic performances.
 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 
Copyright ©2023. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing

source

ANTHONY ALBANESE, PRIME MINISTER: Welcome everyone. I begin by acknowledging the traditional owners of the land on which we meet and pay my respects to elders past, present, and emerging.
And thank you so much for being a part of this Cyber Security Roundtable, and for bringing your insights and your expertise to this process, further developing a new National Cyber Security Strategy.
Cyber security is national security, it is business security, but it is also personal security for 25 million Australians. And that’s why Minister O’Neil, the first Cabinet Minister to hold the Cyber Security portfolio, and I have brought together representatives from our intelligence agencies, our public service, but also independent experts, coming together with business, industry and civil society. I thank all of you for giving up your time and bringing your expertise to this forum.
Strengthening Australia’s cyber security is a fundamental priority for our Government. We recognise it’s an essential part of life, of the way that every Australian and every business and every community organisation deals with each other on a day-to-day basis. It’s absolutely critical as well for maintaining trust in our public institutions, and our public service. It’s critical to maintain confidence in your commercial dealings, and also in your intellectual property, which is often the foundation of your wealth creation.
It’s also vital to individuals. Individuals quite rightly feel violated when their details are online. It is no different from someone breaking into your house and stealing something from you, because it is your property, and in some cases it’s your identity as well. And we saw with breaches last year, I think, an increased awareness of just how important this is.
So all of us understand how critical this is, which is why we’ve brought together such a high level group today. We, of course are conscious as a Government as well about state-sponsored attacks, which are increasingly prevalent, from stealing classified information, to cyber criminal acts aimed at seeking to secure some profit, or in some cases, ransomware attacks, which are increasingly prevalent as well.
So, clearly as it stands, government policies and regulations, business sector systems and measures and our general awareness and capacity as a nation are simply not at the level that we need them to be. I think part of today is about raising awareness, but also, of course, about finding ways in which we can all go forward together.
This is really fast moving. It’s a rapidly evolving threat, and for too many years Australia has been off the pace. Our Government is determined to change that. We want to use your expertise and your experience to build a National Cyber Security Strategy that is practical, that’s useful and that’s adaptable. For every level of Government, for every branch of the public service, for every agency and institution, for business, large and small, and for people.
Educating our children as well, one of the things that is said around every soccer or netball or cricket field, from parents, is worrying about cyber issues, and worrying about the impact that it can have on our youngest Australians as well.
Also, small business worry about how such an intervention can have an impact on them. Sole traders who reinvented their business model in the course of the pandemic, to keep their heads above water, can be targeted on this as well. And we can’t expect time poor businesses to do it by themselves.
And that’s the idea of bringing this group together, to facilitate action and leadership across our economy, across our society, to make sure we address what is a very real challenge indeed.
For businesses these days, cyber security is as important as having a lock on the door. You wouldn’t leave your business at the end of the day and just leave the door open, and that essentially is what will occur unless there’s more diligence, and unless we upgrade the level of security which is there.
So we want all Australian businesses to be able to protect themselves, but also to protect their customers. And I don’t underestimate the challenge that we’re facing. This is an ever evolving threat and it will need adaptation from us and from business and government, to make sure that we keep on top of this.
That’s why today, as well, as part of this process, we are announcing a Coordinator for Cyber Security. We want that coordination to be done centrally so that it’s most effective. That’s why that will be located in the Department of Home Affairs under the responsibility of Minister O’Neil, so that there’s a clear pathway forward, and I believe that is a critical contribution that we can make.
So I thank all of you for joining us. I look forward to constructive discussion from this, I know that this is a conversation that’s happening around the water coolers, as they say, but happening right around our society, and I thank all of you for giving up your time here today. Thank you.

Prime Minister of Australia
We acknowledge and pay respect to past and present Elders and Traditional Custodians of Country, and the continuation of cultural, spiritual and educational practices of Aboriginal and Torres Strait Islander peoples.
 

source

Image via Freepik
This year has been one of significant growth for the cybersecurity industry. According to the 2022 (ICS)2 Cybersecurity Workforce Study, the cyber workforce reached an all-time high of 4.7 million workers and added 464,000 new workers globally.

Despite this, there is still a widely perceived talent shortage in the cybersecurity industry, both domestically and internationally, and companies feel like they can’t fill the positions they need.

But what is causing this “shortage,” and what can be done to mitigate it? To best answer this question, it would help first to contextualize the perceived problem and what is causing it before we then address some potential solutions. 
 
The increase in demand for cybersecurity workers has a two-pronged cause. Part of it is that there has certainly been an increase in cybersecurity threats in recent years, and 2022 was no exception. The other part of it is that consumers as a whole are valuing privacy and security much more than in prior years, and so robust cybersecurity features are increasingly becoming a marketable trait. It’s certainly possible that consumers are valuing security more precisely because of the increase in cybersecurity threats, but broadly speaking, these are the two patterns that underlie the growing demand for more cybersecurity talent. 

And so, while part of the perceived shortage may be a result of this objective surge in demand for cybersecurity, part of it may also result from outdated or limited modes of thinking. The industry has grown tremendously to the point where there are now many branches of specialties within the overarching umbrella of cybersecurity, and no single individual can realistically be an expert in all of them, given how fast information moves and changes.

A helpful analogy to use is the field of medicine. By sheer necessity, there are many specialties within medicine, and you have to hire physicians and medical personnel who are trained for those specialties. Similarly, if you try to find cybersecurity professionals who can do everything, you will naturally perceive a shortage as the field has become too complex and fragmented to realistically find experts that are jacks of all trades within the field of cybersecurity. The problem is less an objective lack of talent out there and more an obsolete set of expectations and hiring practices that could benefit from some updating. 

Another potential cause may have to do with the relative scarcity of the most prized skill in cybersecurity. The best kind of cybersecurity work requires a certain ability to think outside the box and foresee problems that don’t even exist yet. Individuals with this gift are the most talented, skillful cybersecurity professionals, yet there really isn’t a reliable formula for transmitting such an ability at scale. You can teach people hard skills, and you can teach them tools and procedures, but teaching that kind of foresight and creative ability is more of an art and less of a clear-cut affair.

While this may not be a primary reason for a perceived talent gap, one of the contributing factors may be that organizations understandably want to hire professionals that can accurately project future threats and prevent all breaches from occurring. When put in those terms, it is easy to understand how truly difficult that skill set is to come by.
 
 
Generally speaking, cybersecurity problems lie on a spectrum between problems that can be addressed by the book by any competently trained professional or team using established technologies and procedures and problems that require specialized cybersecurity expertise. Sounil Yu’s Cyber Defense Matrix has been well-accepted for some time now. Organizations could greatly benefit by having built-in ways to identify where problems belong on this spectrum and identify potential solutions in advance of a security event. Once a new event is identified, a ticket can then be created for an in-house professional to solve it using established procedures, or it can be earmarked for the attention of a specialist.

Fortunately, even for problems requiring specialization, there are numerous options for how to go about it. One way for companies with the available resources, would be to hire in-house specialists. Another way would be to outsource the work since having onsite specialists may not be a feasible option for some. A third way can be tapping into the power of community by crowdsourcing. A single individual, or even several of them, may not have the ability to hack a particular solution, but if you’re able to tap into a community of, say, 30 individuals, one or more of them just might have the right skill set.

Employing some combination of these methods — hiring in-house specialists, outsourcing, and crowdsourcing — may actually be the way that an increasing number of organizations choose to go depending on their specific needs and resources.   

Aside from properly identifying the level of specialization required for a problem, as well as tapping into the power of crowdsourcing, there are some other ways to further alleviate the perceived talent shortage. 

The field of cybersecurity has gone through an interesting and somewhat ironic evolution in that in its earlier phases; there was a strong culture of DIY and a pervasive belief that it didn’t matter what your background or education level was so long as you could hack. Many in the community even actively identified themselves as outcasts or iconoclasts. However, over the years, as cybersecurity has become increasingly adopted by the enterprise, the field has necessarily become more industrial and standardized, and the pathways toward a career in cybersecurity have become more clearly defined: going to university, getting a degree, and getting the right certifications.

In many ways, standardization is a good thing, but in the process, new barriers can get erected which were not there previously, potentially limiting the kind of diversity that would only strengthen the field. One thing that universities and organizations can, therefore, do is to continually think about how they can maintain standards and procedures while being cautious of not creating new barriers. Fortunately, the field as a whole seems to be noticing and working to address this.

Another solution can lie in colleges and universities possibly rethinking their roles and upgrading their programs as deemed necessary. A good way to do this would be to continue to improve the lines of communication between universities and the very companies that are perceiving a shortage of talent. Universities can work to understand how they can better train students to meet organizations’ needs.

Conversely, how can they also educate companies to have more realistic standards about the range of cybersecurity issues that a cybersecurity generalist can reasonably be expected to solve? Cybersecurity programs could also prioritize the kind of soft skills that make truly gifted cybersecurity professionals, such as the aforementioned ability to foresee problems that don’t exist yet. All the technical knowledge and skills in the world can only do so much good if a student can’t learn to adapt to new technologies and circumstances with the ability to interpret the world through the mindset of a hacker.

Finally, apprenticeships are another way that universities and companies could work together to provide alternative career pathways that remove some of the barriers preventing more people from entering cybersecurity, as this, too, could help address the talent shortage. Crowdsourcing, once again, can also serve as an alternative pathway because whereas apprenticeships require a formal application process, with crowdsourcing, anyone can just immediately start doing it, build experience, gain exposure, and even get paid in the process via bounties. 

The cybersecurity field is growing and evolving at breakneck speed. Regulations, technology and the threat landscape all of these are expanding exponentially. Expecting one person to be able to do everything — the way one might expect a plumber to be able to address every plumbing problem — inevitably limits the perceived pool of capable professionals. On a more objective level, having too many barriers to breaking into the field does the same. Both higher education institutions and companies can implement some of the aforementioned adjustments in order to play key roles in helping make the talent gap a thing of the past.

Andrew Reifers is an associate teaching professor at the University of Washington Information School, where he teaches both undergraduate and graduate level courses in cybersecurity and information management. He has former experience as an network security engineer, principle application security consultant and chief technology officer, and was an application security consultant at a startup company he saw grow into a large company that was eventually bought out by CA technologies.
You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe. 
The John F. Kennedy Center for the Performing Arts is home to some of the nation’s largest events, from the Kennedy Center Honors to the Mark Twain Prize and high-caliber theatrical and symphonic performances.
 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 
Copyright ©2023. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing

source

UK sportswear retailer JD Sports is warning some 10 million of its customers that their personal data — including name, billing address, delivery address, email address, phone number, order details, and last four payment card digits — might have been exposed in a recent cyberattack.
Affected customers placed online orders with JD Sports between November 2018 and October 2020 for items branded JD Sports, Size?, Millets, Blacks, Scotts, and MilletSport, the company said in a statement.
JD Sports said while it cannot definitively say whether the data was accessed, the system holding the data was, so as a precaution, JD Sports is notifying and advising impacted customers to remain on the lookout for social engineering scams.
JD Sports does not store full payment card details, the retailer said, and there is no evidence that account passwords were compromised.
“We want to apologize to those customers who may have been affected by this incident,” Neil Greenhalgh, JD sports chief financial officer said in the cyber-incident disclosure. “We are advising them to be vigilant about potential scam emails, calls, and texts and [are] providing details on how to report these. We are continuing with a full review of our cybersecurity in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”
While disclosure is the right thing to do for the retailer, notes Lior Yaari, CEO of Grip Security, letting the public as well as potential threat actors know about the breach without first resetting account credentials might in itself attract the wrong kind of attention.
“Retailers should approach a breach of customer data similar to an internal breach of employees — requiring every customer to reset their account credentials,” Yaari said in a statement provided to Dark Reading. “The official announcement from JD Sports and the news coverage sets the stage for the hackers to start sending out password reset phishing emails to the 10 million customers to harvest their credentials.”
Yaari predicts additional attacks will be fueled by this breach.
In fact, companies like JD Sports should avoid downplaying the significance of a compromise of customer data, according to Chris Denbigh-White, security strategist at data protection firm Next DLP.
“In JD Sports’ press release, the company took great steps to reassure customers that the extent of potentially compromised information was ‘limited,’” Denbigh-White explained in a statement provided to Dark Reading. “To a consumer, this exposure of personal information, which cannot be changed, is not a trivial matter and is likely to lead to further phishing and fraud attempts.”
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

Since the beginning of 2022, nearly 175,000 tech workers have lost their jobs in sweeping layoffs from firms both big and small, according to Layoffs.fyi, which tracks tech layoffs. No single industry or function has been immune from tech job losses, but cybersecurity roles still remain in high demand. 
Cybersecurity experts expect demand to remain high this year, and the U.S. Bureau of Labor Statistics projects that the number of cybersecurity jobs will grow by 35% between 2021 and 2031. Worldwide, there are about 3.5 million open cybersecurity jobs, according to Cybersecurity Ventures. In the U.S. alone, that number is about 770,000, data from Cyberseek, a cybersecurity industry research company, shows.
“That number might decline, but I suspect you’ll see the number of jobs decrease that are available, but likely not switch to less jobs available than available talent,” Nick Schneider, president and CEO of cybersecurity company Arctic Wolf, tells Fortune. “There’ll still be a skills gap. It will just be smaller.”
Fortune spoke with a few cybersecurity experts about what to expect for cybersecurity hiring trends in 2023. Cybersecurity pros predict that job demand will remain high, more women will land jobs in the industry, and that upskilling will be at the top of mind for both employees and employers.
An economic downturn—i.e. a potential impending recession—is no time to cut cybersecurity talent. While no industry is truly “recession proof,” the cybersecurity industry is “largely insulated from market downturns,” as Danny Allan, chief technology officer of data protection firm Veeam, previously told Fortune. 
That type of job security is largely due to the fact that data and digital services are critical to business operations, Allan adds, but it’s also because economic downturns can “ignite a fire under the bad actors,” when companies are most vulnerable. Schneider says. 
“Companies can’t afford to not have cybersecurity continue through an economic downturn,” Schneider says. Bad actors “also understand that companies are tightening budgets and tightening headcount. It’s a good opportunity to attack. Hopefully most businesses don’t take this opportunity to trim security staff, and I don’t think that they will.”
In the U.S., there are currently about 1.1 million people employed in the cybersecurity industry, data from Cyberseek shows. Globally, about 25% of women hold cybersecurity jobs, according to Cybersecurity Ventures. Experts predict that we’ll continue to see women representation in cybersecurity grow this year. In fact, cybersecurity company ReasonLabs has already reached gender parity for its analysts.
“What we are seeing today in the universities is the increase of women talent out there is close to 50-50 right now with the men,” Andrew Newman, chief technology officer at ReasonLabs, tells Fortune. “We’re definitely going to see a huge uptick in women employees. We’re heavily invested in that market today and we’re constantly looking to grow.”
Large organizations like Microsoft Security are also prioritizing hiring more women who are cybersecurity professionals. Microsoft Security launched an initiative where the company has committed to partnering with community colleges to train 250,000 people by 2025. 
“In the corporate world, we need to make sure we have diverse slates when hiring and that we are very intentional,” Vasu Jakkal, corporate vice president of Microsoft Security, told Fortune in a recent interview. “It’s going to take the entire village—from parents to school teachers to hiring managers to colleagues and peers to organizations—to elevate women and minorities into cybersecurity.”
To help combat the talent gap and barriers to entry, nonprofit cybersecurity certification organization (ISC)² launched a free online program called Certified in Cybersecurity to help entry-level cybersecurity candidates learn the basics of cybersecurity including security principles, business continuity (BC), disaster recovery (DR) and incident response concepts, access controls concepts, network security, and security operations. And in the three months since its inception, the program has registered more than 110,000 candidates.
“As we promote hiring for non-technical skills and personality attributes, it [gives] that little extra insurance that allows [employers] to have confidence that this person has demonstrated that they have the capability to understand these core concepts,” Clar Rosso, CEO of (ISC)², previously told Fortune. “Since this workforce gap is this big hairy issue, this is what we’re investing in now.”
Schneider also predicts that upskilling opportunities will act as an incentive for current cybersecurity workers to remain at their current posts as market volatility continues.
“My suspicion is that’s where most businesses will intrigue cybersecurity professionals during an economic downturn. It won’t just be all about compensation,” he says. “It will be a good combination of having the right job, the right benefits, the right training and enablement and the right opportunity for these professionals within their organization to do what they want in their career.”
Check out all of Fortune’s rankings of degree programs, and learn more about specific career paths.

source